February 15, 2018

The Cyberization of Personal Health – Do New Apps Pose a Threat?

By

A look ahead to the unification of healthcare and how patients access their information.

It has been announced that Apple is expanding its HealthKit application to make it possible for a person to view their own health records on their mobile devices. According to Apple, it is strange that people routinely can see their financial information, but are unable to find out about their personal health. The company now is experimenting with Johns Hopkins Medicine and Cedars-Sinai to work out the bugs. The health applications being pioneered by Apple and others are making it possible for people to keep track of their body fat, monitor their hearts, link into their exercise machines, and more.

The promise is that people can live healthier lives. Already my Apple device nags me when I have been sitting at my desk for too long, reminds me to go sleep on time, and gently wakes me up after eight hours, but only on the weekends.

This trend towards the “cyberization of personal health” was started with standalone applications, but inevitably, these systems can work best only when connected into the giant information systems containing patient data.

Information technology revolutionized back-office processing in hospitals, first in billing, then in purchasing and more complex transactions. Now, electronic health records (EHR) are an essential component of the “information infrastructure”. What were at first internal standalone systems eventually grew into the giant inter-organizational billing and health logistics systems that we see today. Health systems link together insurance companies, government payers, intermediary processing companies, auditing companies, pharmacy benefit management organizations, public health officials, and even law enforcement.

In an evolutionary sense, the trend toward the proliferation of health-related apps and supporting specialized health monitoring is a continuation of this trend. Just as new forms of treatment will rely increasingly on personalized medicine, these apps create a custom-made information environment tailored specifically for the patient being served.

And apart from Apple, there are other efforts involving information technology-based innovation. For example, the Amazon announcement of a giant healthcare offering promises the creation of a better system of record-keeping and glittering efficiency, as with its one-click shopping.

But like every innovation in our healthcare system, we can expect that it will eventually be bogged down in the swamp of interfaces, and delays, and disputes, and audits, and litigation, and a nightmare of obstruction that will increase costs and kill off any promised efficiencies.

The Burden of Complexity

The basic problem is that the United States has created a vast monster of a healthcare system in which the amount of money spent on information processing probably exceeds what is actually spent on patients. This is because more and more resources are being drained into efforts required to service the processing of information. The relative cost is incredible.

We can be sure that the amount of patient contact hours is only a fraction of the time spent by clerks in processing the data associated with any sickness, small or large. We know that insurance companies are eager to stopwatch the minutes a doctor spends with a patient. But do they also limit the time spent on each patient by the bureaucracy? Perhaps if they did, it would stimulate a wave of innovation in the back office.

One driver of the overwhelming complexity that we see is the lack of a single unified healthcare system. In today’s system, in the United States, different hospitals, different insurance companies, and different health plans all have variations in coverage, coding, and data definitions.

We have created a giant Tower of Babel in which systems barely talk to one another, and when they do, it is only after the investment of a huge effort in building translators, converters, lookup tables, and all of the other paraphernalia necessary to keep incompatible systems from working with each other.

A few visionaries dream of a single unified information healthcare system for the nation. Everyone speaking the same language, all of the data compatible, files and records that remain with a person their entire life – imagine. With “cradle to grave” record-keeping, it always would be immediately possible to assess the entire health history of a patient.

The benefits for research would be staggering. Having a unified database with all patient data, their entire health records, every prescription ever taken, every disease suffered, and the relationships with other family members and ancestors would provide a giant platform for statistical analysis, multilinear regression, social network modeling, and other techniques of big data analysis. When genetic data is included, the benefits of such a system of data would be incalculable.

In addition, we would see enhanced efficiency and speed in processing of health information, because the entire system would rest upon a shared understanding of standards and procedures.

Security

Security continues to be a concern for the healthcare profession. As you recall, in 2017, IT security in healthcare already was in the spotlight. Healthcare system security breaches went up 24 percent, but ransomware incidents went up 89 percent. In May 2017, the WannaCry ransomware hit thousands of information systems. That attack was followed by NotPetya, which took down Merck and Nuance. By June, the Health Care Industry Cybersecurity Task Force released a number of security frameworks, and the number of cybersecurity training programs shot up.

By August, professionals were worrying about the Internet-of-things (IoT), including malware infection of medical devices or even pacemakers active within patients’ bodies. We can be sure that these same worries extend to the world of smart phones and the apps they are running.

In Stockholm, at the October ITechLaw conference, practicing attorneys expressed concerns that there is no legal standard defining an organization’s level of due diligence in management of their information systems. Organizations are being held responsible by government regulators, but with no objective standard of security. Without an accepted standard, organizations will remain unable to protect themselves from litigation claiming negligence in their data management.

Hackers, terrorists, non-state actors, and even state actors all continue to be antagonists to the global cyber infrastructure. What’s important is that ransomware is what the U.S. intelligence community calls an “advanced persistent threat.” In 2018, the tsunami of ransomware will continue to do damage to thousands of healthcare providers, both public and private.

This is the reality: there is no secure information system. It just doesn’t exist. Do you think if foreign governments can break into Sandia National Labs and download all of the technical details of America’s thermonuclear weapons, as they have, that your medical records are secure?

We know that Apple is taking many steps to protect the security of personal health information. All of the data is encrypted. This means that there is no copy of health data kept anywhere, not even on Apple servers, or any other server.

Will this be enough? We hope so, but if the past is any indicator of the future, these new apps will be compromised, just like all of the other healthcare systems.

Edward Roche, PhD, JD

Edward Roche is the director of scientific intelligence for Barraclough NY, LLC. Mr. Roche is also a member of the California Bar. Prior to his career in health law, he served as the chief research officer of the Gartner Group, a leading ICT advisory firm. He was chief scientist of the Concours Group, both leading IT consulting and research organizations. Mr. Roche is a member of the RACmonitor editorial board as an investigative reporter and is a popular panelist on Monitor Mondays.

This email address is being protected from spambots. You need JavaScript enabled to view it.

Related Articles